This could be, for instance, private keys for market signatures, etc. There are some bits that you show *nobody* if you want things to be even remotely secure.

Microsoft did actually screw up on this one. There was a clear procedure for disclosure in this case. Google was supposed to have been notified in advance of the inclusion of a 3rd party and be given 10 days to object. That process was violated.